b"POSTAL REGULATORY COMMISSION\n\n  OFFICE OF INSPECTOR GENERAL\n\n\n\n\n         FINAL AUDIT REPORT\n\n INFORMATION TECHNOLOGY GOVERNANCE\n                AND\n   INFORMATION SECURITY PLANNING\n\n             Audit Report 07-02A-01\n               January 30, 2008\n\n\n\n       Digitally signed by Jack Callender\n       DN: cn=Jack Callender, o=PRC, ou=OIG,\n       email=prc-ig@prc.gov, c=US\n       ________________________________\n                 JACK CALLENDER\n               INSPECTOR GENERAL\n\x0c                                                                                                                   AR 07-02A-01\n\n\n\n\n                                            TABLE OF CONTENTS\n                                                                                                                     PAGE\n\n\nEXECUTIVE SUMMARY ..............................................................................................1\n\nINTRODUCTION ..........................................................................................................2\n\n   Background ...........................................................................................................2\n\n   Objectives, Scope and Methodology .....................................................................3\n\nRESULTS ....................................................................................................................4\n\n   Information Security Plans ....................................................................................5\n\n   Information Security Policies and Procedures.......................................................6\n\n   Ongoing Monitoring ..............................................................................................6\n\nRECOMMENDATIONS .................................................................................................7\n\nGLOSSARY .................................................................................................................9\n\nAGENCY RESPONSE ...................................................................................................12\n\x0c                                                                             AR 07-02A-01\n\n\n\n\nEXECUTIVE SUMMARY\n\nIntroduction                 We audited the Postal Regulatory Commission\xe2\x80\x99s (PRC)\n                             information technology governance and information\n                             security planning to assess and ensure that the PRC is\n                             taking a proactive approach in managing risk by aligning\n                             PRC\xe2\x80\x99s information security plan to overall agency strategic\n                             plans, planning an organizational structure with clearly\n                             identified roles and responsibilities with regard to\n                             information security, planning to develop secure enterprise\n                             architecture and planning to document security objectives.\n                             The PRC has taken the initiative to adhere to the Federal\n                             Information Security Management Act (FISMA) of 2002,\n                             Title III of the E-Government Act (Public Law 107-347),\n                             which requires that all federal agencies develop and\n                             implement an agency-wide security program to safeguard\n                             Information Technology (IT) assets and data of the\n                             respective agency.\n\nResults in Brief             PRC has taken a proactive approach concerning its\n                             information security governance. However, the PRC does\n                             not have a formal comprehensive information security plan\n                             that identifies management objectives. It has failed to\n                             identify an organizational structure and associated roles and\n                             responsibilities. The PRC has not identified an enterprise\n                             architecture that describes the current and future structure\n                             and identifies expected user behavior. It does not have\n                             formal information security policies and procedures that\n                             identify appropriate security controls required to ensure the\n                             security of its information assets. Finally, the PRC has not\n                             established an ongoing monitoring plan with milestones for\n                             completion to ensure that its objectives are achieved.\n\nSummary of Recommendations   The PRC should continue to support preparation,\n                             completion and final approval of a formal information\n                             security plan; implement an organizational structure with\n                             defined roles and responsibilities; implement formal\n                             information security policies and procedures; document the\n                             enterprise architecture and implement an ongoing\n                             monitoring plan with achievable and realistic milestones\n                             for completion.\n\x0c                                                                                             AR 07-02A-01\n\n\n\nINTRODUCTION\nBackground\n\nThe Postal Regulatory Commission (PRC) was established by the Postal Accountability\nand Enhancement Act of 2006 (PAEA), (Public Law 109-435), enacted on December 20,\n2006. Like most federal agencies, the PRC relies on information technology (IT) to run\nits operations and to provide public access to PRC proceedings and Postal Service\ninformation.\n\nThe National Institute of Standards and Technology (NIST) 1 defines information\nsecurity governance as \xe2\x80\x9cthe process of establishing and maintaining a framework and\nsupporting management structure and processes to provide assurance that information\nsecurity strategies are aligned with and support business objectives; are consistent with\napplicable laws and regulations through adherence to policies and internal controls;\nand provide assignment of responsibility, all in an effort to manage risk\xe2\x80\x9d. 2\n\nAn agency\xe2\x80\x99s information security governance structure should ensure that information\nsecurity controls support its mission in an appropriate and cost-effective manner, while\nmanaging evolving information security risks. Title III of the E-Government Act of 2002\n(Public Law 107-347), the Federal Information Security Management Act 3 (FISMA)\nrequires that all federal agencies develop and implement an agency-wide security\nprogram 4 designed to safeguard the agency\xe2\x80\x99s IT assets and data. Relevant laws and\nregulations place the responsibility and accountability for information security at all\nlevels within federal agencies from the agency head to each Information Technology (IT)\nuser. Based on these laws and regulations, NIST has developed a body of standards,\nguidance and practices for agencies to follow. PRC management has made a\ncommitment to meeting FISMA\xe2\x80\x99s requirements.\n\n\n\n\n1\n  NIST is the standards-defining agency of the U.S. government, formerly the National Bureau of\nStandards. It is one of three agencies that fall under the Technology Administration (www.technology.gov),\na branch of the U.S. Commerce Department that is devoted to advancing American economic growth using\ntechnology. (www.nist.gov)\n2\n  Special Publication 800-100, Information Security Handbook: A Guide for Managers, provides an\noverview of information security elements that managers can understand, establish and implement as an\neffective information security program.\n3\n  FISMA encourages federal agencies to understand their information systems and sets forth specific\nrequirements that the agency\xe2\x80\x99s information security program should abide by or stipulate rationale as to\nwhy the agency could not adhere to these standard requirements.\n4\n  A \xe2\x80\x9csecurity program\xe2\x80\x9d to be effective must: (a) provide for periodic assessment of risk; (b) implement\npolicies and procedures that are based on the risk assessment; (c) provide plans for information security for\nthe organization\xe2\x80\x99s networks, facilities, and information systems; provide security awareness training; (d)\nprovide for the performance of periodic testing and evaluation, as well as planning, implementing,\nevaluating and documenting remedial activities of the information security policies, procedures, practices\nand security controls; (e) provide procedures for detecting and reporting incidents; and (f) plan for the\nassurance of continuity.\n\n\n                                                     2\n\x0c                                                                                           AR 07-02A-01\n\n\nIn order for information security governance to be effective, management\xe2\x80\x99s planning\nshould include identifying the agency\xe2\x80\x99s IT assets, assigning values to the assets,\ndocumenting, developing and then implementing security policies, procedures, standards\nand guidelines that provide for the integrity 5 , confidentiality 6 and availability 7 of these\nassets. In addition, the PRC\xe2\x80\x99s information security governance structure should support\nthe overall mission and strategic plans of the organization. The key components of an\ninformation security governance structure are illustrated in Figure 1.\n\n\n\n                      Governance\n                       Strategic Planning\n\n           Organizational      Roles and         Enterprise\n             Structure       Responsibilities   Architecture\n\n                                                                       Ongoing\n                  Policies and Guidelines                             Monitoring\n\n\n                       Implementation\n\n                             Figure-1 Information Security Governance Components\n                                        NIST Special Publication 800-100 8\n\n\n\nObjectives, Scope and Methodology\n\nThe purpose of this audit is to ensure that the Postal Regulatory Commission is taking a\nproactive approach in managing risk by aligning its information security plans and\ngovernance structure with the agency\xe2\x80\x99s overall mission, goals and objectives to ensure\nthorough information security planning. We relied on the PRC to provide its information\nsecurity plans including: (i) plans for an organizational structure which identifies specific\nroles and responsibilities for information and information assets; (ii) plans for agency-\nwide security policies and procedures for ensuring that management objectives for\ninformation and information technology are being maintained; (iii) plans for enterprise\narchitecture that is secure and protected both internally and externally against loss or\n\n\n\n\n5\n  Integrity is defined as the guarding against improper modification or destruction and includes ensuring\ninformation non-repudiation and authenticity.\n6\n  Confidentiality is defined as the preservation of authorized restrictions on information access and\ndisclosure including means for protecting personal privacy and proprietary information.\n7\n  Availability is defined as ensuring timely and reliable access to and use of information.\n8\n  National Institute of Standards and Technology, Information Security Handbook: A Guide for Managers.\nSpecial Publication 800-100 provides an overview of information security elements for managers.\n\n\n                                                               3\n\x0c                                                                                            AR 07-02A-01\n\n\nmisuse; and (iv) a Plan of Action and Milestones 9 (POA&M) from which to assess these\nongoing monitoring efforts. We verified the existence or availability of this data and not\nthe completeness or the specific controls effected.\n\nRESULTS\nThe PRC has taken a proactive approach in the establishment of information technology\ngovernance and information security strategic planning. PRC should continue to\nestablish and implement an information security governance program through the\norganization\xe2\x80\x99s growth and development that appropriately identifies and ensures the\nadequacy and effectiveness of security to the enterprise information assets. Effective\ninformation security planning and governance can be accomplished if the PRC ensures\nthat:\n\n             \xe2\x80\xa2   Information security is integrated with enterprise management, strategic\n                 planning, capital planning and enterprise architecture.\n             \xe2\x80\xa2   Information security is implemented and maintained to meet any\n                 appropriate requirements, laws, regulations and PRC\xe2\x80\x99s organizational\n                 policies.\n             \xe2\x80\xa2   Information security organizational structure is adequate as the PRC\n                 evolves with PAEA legislation requirements.\n             \xe2\x80\xa2   Information security polices are communicated to all stakeholders at all\n                 levels of the PRC organization to ensure that individuals will be held\n                 responsible for their actions.\n             \xe2\x80\xa2   Information security responsibilities are assigned to appropriately trained\n                 individuals.\n             \xe2\x80\xa2   Improvement and performance of information security is performed\n                 through continuous monitoring.\n\nImprovement and performance of information security is required through continuous\nmonitoring. PRC has obtained through contract services: (i) an independent assessment\nand suggested approach on the development of PRC\xe2\x80\x99s strategic goals, organizational\nstructure and development of job performance structure and criteria; and (ii) an\nindependent risk evaluation and suggested guidance of security controls in accordance\nwith NIST Special Publication 800-53. In addition, the PRC is working to ensure the\nenterprise architecture is secure as it progresses through re-engineering and redesigning\nof its Web site. PRC has not yet completed all of the appropriate components for an\neffective information security governance environment.\n\nAlthough PRC management was responsive to requests for information regarding its\ninformation security plans, organizational structure, agency-wide security policies,\nmanagement objectives for information technology and current enterprise architecture,\n\n9\n POA&M\xe2\x80\x99s are used by management to assist in identifying, assessing, prioritizing and monitoring the\nprogress of corrective efforts for security weaknesses found in programs and systems, as identified in NIST\nSpecial Publication 800-100.\n\n\n                                                    4\n\x0c                                                                               AR 07-02A-01\n\n\nmany of these documents were not yet completed.\n\nInformation Security Plans\n\nThe PRC does not have written and approved security plans. The information security\nplans should provide an overview of the security requirements of the organization and\nfurther describe the controls planned for meeting these requirements. Formal security\nplans are important to any organization. An organization\xe2\x80\x99s security plan is\nmanagement\xe2\x80\x99s communication mechanism that provides for the information security\nstructure of the organization.\n\nThe security plan should serve as a guide to define the functional and divisional\nplans that include information systems and information technology. This written\nsecurity plan should:\n\n           \xe2\x80\xa2   Provide a framework for decisions and security of information and\n               information assets;\n           \xe2\x80\xa2   Provide a basis for more detailed planning.\n\nThe PRC should finalize a comprehensive information security plan and create security\nplans for each of its information systems. The PRC should seek guidance in the creation\nand finalization of its security plans through the standards, guidance and baselines as\nidentified in:\n\n           \xe2\x80\xa2   Federal Information Processing Standards (FIPS) 200 Minimum Standard\n               Security Requirements for Federal Information and Information Systems\n               in seventeen security related areas;\n           \xe2\x80\xa2   NIST Special Publication 800-53, Recommended Security Controls for\n               Federal Information Systems; and\n           \xe2\x80\xa2   NIST Special Publication 800-18, Rev-1, Guide for Developing Security\n               Plans for Federal Information Systems, Appendix A.\n\nThe PRC should ensure that the information security plans are sufficient and current to\naccommodate the information security environment, agency mission and operational\nrequirements.\n\n       Organizational Structure\n\nThe information security plans should delineate the organizational responsibilities as well\nas the expected behavior of all who have access to the PRC\xe2\x80\x99s systems. The individual\nwho assumes this role of managing and addressing security in the organization carries a\nsignificant and potentially critical responsibility that may include the performance of risk\nassessments to the implementation of security policies and procedures. The security plan\nshould cover all aspects of the organization from human resource issues to specifically\ndefining security duties and the PRC systems used in the organizational environment.\n\n\n\n                                             5\n\x0c                                                                                AR 07-02A-01\n\n\n       Roles and Responsibilities\n\nPRC should create information security plans that, at a minimum, identify information\nsecurity roles and responsibilities and provide a baseline of security controls and rules for\nexceeding the baseline. The roles and responsibilities should clearly identify PRC\xe2\x80\x99s\nexpectations for user compliance and repercussions for noncompliance.\n\n       Enterprise Architecture\n\nThe PRC should continue to develop, document and identify its current enterprise\narchitecture. The enterprise architecture should describe the current and future structure\nand behavior of an organization's processes, information systems and personnel that are\naligned with the organization's core goals and strategic direction. A strong enterprise\narchitecture process helps to determine if:\n\n           \xe2\x80\xa2   The current architecture supports and adds value;\n           \xe2\x80\xa2   Major changes or modifications to the architecture are necessary;\n           \xe2\x80\xa2   The current architecture supports the PRC\xe2\x80\x99s goals.\n\nInformation Security Policies and Procedures\n\nThe PRC does not have formal written information security policies and procedures\nwhich identify agency practices, rules, laws and regulations and how the PRC chooses to\nmanage, protect and distribute sensitive and non-sensitive information securely.\nInformation security policies and procedures are essential to the organization\xe2\x80\x99s\ninformation security controls and should be developed by the PRC. Without written and\napproved information security policies and procedures in place, the PRC cannot ensure\nthe continued availability, confidentiality and integrity of its information assets.\n\nOngoing Monitoring\n\nThe PRC does not have an ongoing monitoring process in place to ensure that its planned\nmission and objectives are on target and that the appropriate security controls are in place\nto protect the overall agency environment. PRC\xe2\x80\x99s information governance structure (i.e.,\nsecurity plans, organizational structure, roles and responsibilities) can be enhanced by an\nongoing monitoring and assessment process ensuring its mission and objective are\nappropriate as originally planned. This ongoing review process also ensures that present\ninformation security controls do not become obsolete. It also provides for opportunities\nto discover the advent of new technologies that may better serve and support the agency\nin the future.\n\n\n\n\n                                              6\n\x0c                                                                                           AR 07-02A-01\n\n\n\nRECOMMENDATIONS\nThe PRC should continue to:\n\n\xe2\x80\xa2      Support preparation, completion and final approval of a formal information security\n       plan;\n\n           Management Response 10\n\n           Management agreed with our recommendation and stated that the security plan\n           will supplement and support the Commission's IT security policy currently under\n           review. The Commission plans to complete its information security plan by\n           June 30, 2008.\n\n           Evaluation of Management Response\n\n           Management's comments are responsive to the recommendation, and the action\n           taken or planned should correct the issue identified.\n\n\xe2\x80\xa2      Implement an organizational structure with defined roles and responsibilities;\n\n           Management Response\n\n           Management agreed with our recommendation and stated that the PRC expects to\n           implement an organizational structure with better defined roles and\n           responsibilities by March 31, 2008.\n\n           Evaluation of Management Response\n\n           Management's comments are responsive to the recommendation, and the action\n           taken or planned should correct the issue identified.\n\n\xe2\x80\xa2      Implement formal information security policies and procedure;\n\n           Management Response\n\n           Management agreed with our recommendation and stated that the PRC has\n           performed a risk assessment of its security controls that will be used as a\n           foundation in formulating its security policy and plan to be implemented by\n           June 30, 2008.\n\n\n\n\n10\n     Management's comments in their entirety are included in Appendix II of this report.\n\n\n\n                                                       7\n\x0c                                                                            AR 07-02A-01\n\n\n       Evaluation of Management Response\n\n       Management's comments are responsive to the recommendation, and the action\n       taken or planned should correct the issue identified.\n\n\xe2\x80\xa2   Document the enterprise architecture;\n\n       Management Response\n\n       Management agreed with our recommendation and stated that the PRC is\n       researching and documenting the enterprise architecture of the existing\n       information technology structure. The Commission expects to have a formal\n       enterprise architecture structure prepared by first quarter 2009.\n\n       Evaluation of Management Response\n\n       Management's comments are responsive to the recommendation, and the action\n       taken or planned should correct the issue identified.\n\n\xe2\x80\xa2   Implement an ongoing monitoring plan with achievable and realistic milestones for\n    completion.\n\n       Management Response\n\n       Management agreed with our recommendation and stated that the Commission\n       expects to implement a formal monitoring plan upon completion of the security\n       policies by June 30, 2008.\n\n       Evaluation of Management Response\n\n       Management's comments are responsive to the recommendation, and the action\n       taken or planned should correct the issue identified.\n\nWe appreciate the courtesies and cooperation extended during this audit. If you need\nadditional information, please contact Jack Callender at (202) 789-6817.\n\n\n\n\n                                            8\n\x0c                                                                                AR 07-02A-01\n\n\n                                                                               APPENDIX I\n\n                                   GLOSSARY\n\n                 ITEM                                        DESCRIPTION\n\nAgency                                         Any executive department, government\n                                               corporation, government controlled\n                                               operation, or other establishment in the\n                                               executive branch of the government, or any\n                                               independent regulatory agency.\n\nFederal Information Processing Standards       Issued by the National Institute of\n(FIPS) Publications Series                     Standards and Technology (NIST) FIPS are\n                                               the official series of publications relating to\n                                               standards and guidelines adopted and\n                                               promulgated under the provisions of\n                                               Section 5131 of the Information\n                                               Technology Reform Act of 1996 (Public\n                                               Law 104-106) and the Federal Information\n                                               Security Management Act of 2002 (Public\n                                               Law 107-347).\n\nFederal Information Security Management        The FISMA Act is the primary legislation\nAct (FISMA) of 2002                            governing federal information security\n                                               programs. It delegates to the National\n                                               Institute of Standards and Technology\n                                               (NIST) the responsibility to develop\n                                               detailed information security standards and\n                                               guidance for federal information systems\n                                               with the exception of national security\n                                               systems. FISMA also delegates to OMB\n                                               the oversight of federal agencies\xe2\x80\x99\n                                               information security implementation.\n                                               Further, FISMA provides the framework\n                                               for securing federal government IT\n                                               resources, including key federal\n                                               government and agency roles and\n                                               responsibilities, requiring agencies to\n                                               integrate information security into their\n                                               capital planning and enterprise architecture\n                                               processes, requiring agencies to conduct\n                                               annual information security reviews of all\n                                               programs and systems, and reporting the\n                                               results of those reviews to OMB. Enacted\n\n\n                                           9\n\x0c                                                         AR 07-02A-01\n\n\n                          as Title III of the E-Government Act of\n                          2002, has tasked NIST with responsibilities\n                          for standards and guidelines, and\n                          development of:\n                              \xe2\x80\xa2 Standards to be used by all federal\n                                  agencies to categorize all\n                                  information and information\n                                  systems collected or maintained by\n                                  or behalf of each agency based on\n                                  objectives of providing appropriate\n                                  levels of information security\n                                  according to risk levels;\n                              \xe2\x80\xa2 Guidelines for determining the\n                                  types of information and\n                                  information systems to be included\n                                  in each category; and\n                              \xe2\x80\xa2 Minimum information security\n                                  requirements, e.g., management,\n                                  operational, and technical controls.\n\nGuidelines                Official advice or recommendation\n                          indicating how something should be done\n                          or what sort of action should be taken in a\n                          particular circumstance.\n\nInformation Security      The protection of information and\n                          information systems from unauthorized\n                          access, use, disclosure, disruption,\n                          modification, or destruction in order to\n                          provide confidentiality, integrity, and\n                          availability.\n\nInformation System        A discrete set of information resources\n                          organized for the collection, processing,\n                          maintenance, use, sharing, dissemination,\n                          or disposition of information.\n\nInformation Technology    Any equipment or interconnected system or\n                          subsystem of equipment that is used in the\n                          automatic acquisition, storage,\n                          manipulation, management, movement,\n                          control, display, switching, interchange,\n                          transmission, or reception of data or\n                          information.\nProcedures                Detailed step by step instructions.\n\n\n\n                         10\n\x0c                                                      AR 07-02A-01\n\n\nSecurity Controls    The management, operational, and\n                     technical controls (i.e. safeguards or\n                     countermeasures) prescribed for an\n                     information system to protect the\n                     confidentiality, integrity, and availability of\n                     the system and its information.\n\nSecurity Policy      A security policy provides for the basic\n                     information technology security procedures\n                     for management, the rules for employees to\n                     adhere to and the standards for which the\n                     information technology staff must\n                     maintain.\n\nStandards            Provide the level or quality or excellence\n                     that is accepted as the norm or by which\n                     actual attainments are judged.\n\nStrategic Plan       A strategic plan is prepared to accomplish a\n                     framework for decisions. It is visionary by\n                     nature and does not reflect specific details\n                     and or tasks to accomplish in the short\n                     term.\n\n\n\n\n                    11\n\x0c      AR 07-02A-01\n\n\n     APPENDIX II\n\n\n\n\n12\n\x0c     AR 07-02A-01\n\n\n\n\n13\n\x0c     AR 07-02A-01\n\n\n\n\n14\n\x0c"